Chaps, I’ve just stumbled upon a rather disconcerting piece of news I believe you might find intriguing, especially if healthcare and cybersecurity interest you. Now, let’s talk about the recent mishap involving a Canadian company called Care1.
Care1 is a fascinating outfit. They specialize in offering Artificial Intelligence (AI) software solutions. These are predominantly targeted towards bolstering optometrists in delivering superior patient care. Not too bad, eh? Except they’ve been caught with their trousers down in rather awkward security debacle.
Our man of the hour, Jeremiah Fowler, found that Care1 — unthinkably — had over 4.8 million records chilling out in a non-password-protected database. Hold your gasps, folks. This publicly exposed database, containing more than a whopping 2.2 TB of data, was neither password-protected nor encrypted. Rather a glaring oversight from a company in the tech space, don’t you think?
Within this mother lode, Fowler found eye exam details in PDF format. Doesn’t sound so bad, right? Well. These included patient PII, doctor’s comments, and images of the test results. Oh, and there were also .csv and.xls spreadsheets that listed patients and included their home addresses, Personal Health Numbers (PHN), and other health details.
Upon discovering this rather concerningly exposed information, Fowler did the honorable thing and sent a responsible disclosure notice. No dilly-dallying there. Can you guess what happened next? The public access was restricted the following day. That’s right, chaps. The very next day.
Now the burning question, of course, is wondering whether the weight of this breach falls on Care1, or if they outsourced their cybersecurity to a third-party contractor. The prompt response from an administrator after Fowler’s disclosure notice puts this into question. They simply wrote back, “Thank you for bringing this to our attention. Our team is currently working on resolving this issue.”
Fowler himself admitted that he had no clue about how long the database was exposed or if any malicious third parties had accessed it. The bucket of data was indexed with links to files dating back to July 2023, and possibly earlier. Only an internal forensic audit would reveal more and identify any further suspicious activity.
One might hope that, at the very least, Care1 or their vendor has access logs that precede July 2023! After this ball drop of epic proportions, we’re left wondering if Care1 will muster the gumption to publicly disclose the error of their ways or notify practices and patients affected by their blunder. Only time will tell, folks.
While we wait, it’s another stark reminder for us all – healthcare, cybersecurity, or otherwise – that data security isn’t just a matter of protocol, it’s a matter of trust. To all the Care1’s out there, let’s pull up our socks and make sure something like this doesn’t happen again, shall we? After all, we’re playing with people’s lives here, not just numbers on a spreadsheet.
by Parker Bytes
